Thread: IPTABLES firewalling (and transparent proxy)

Hi guys, i’m working on a firewall with a transparent proxy (tinyproxy) and a content filter (dansuardian).

That’s my network scheme:
Subnet 192.168.10.0/24 <—> 192.168.1.1 [Firewall] 192.168.1.2 <–(point2point)–> 192.168.1.1 CISCO Router (locked by ISP)

Now i have to write down some iptables roules to make everything work. Unfortunatly i have to be shure that my code is errorfree as i’m on a server of a public association and i cannot stop any service for more then a bunch of seconds.

So here’s the code:

Code:

#This is the content of a sh executable loaded on boot 
IF_LAN="eth0" 
IF_EXT="eth1" 
PROXY_PORT="8080" 
iptables -F  
iptables -X  
iptables -P INPUT DROP 
iptables -P OUTPUT DROP 
iptables -P FORWARD DROP  
# Allow lan traffic to be accepted 
iptables -A INPUT -s 192.168.10.0/24 -i $IF_LAN -j ACCEPT  
# Allow 80, 443, 53 destinated traffic to be forwarded 
iptables -A FORWARD -s 192.168.10.0/24 -i $IF_LAN -o $IF_EXT  \
-j ACCEPT -p tcp -m multiport --dports 80,443 --sport 1024:65535                 
iptables -A FORWARD -p udp -i $IF_LAN -o $IF_EXT --dport 53 --sport 1024:65535 -j ACCEPT 
iptables -A FORWARD -p udp -i $IF_EXT -o $IF_LAN --sport 53 --dport 1024:65535 -j ACCEPT 
# Allow response from firewall to go back 
iptables -A INPUT -i $IF_LAN -m state -state ESTABLISHED,RELATED -j ACCEPT 
# I wander if MASQ is needed and i don't know why this line is here 
iptables -t nat -A POSTROUTING -o $IF_LAN -j MASQUERADE 
# Allow answers to the lan 
iptables -A OUTPUT -d 192.168.10.0/24 -o $IF_LAN -m state -state ESTABLISHED,RELATED -j ACCEPT 
# Allow  connection to the world from the firewall itself 
iptables -A OUTPUT -o $IF_EXT -j ACCEPT 
# Open SSH port for administration 
iptables -A INPUT -i $IF_LAN -p tcp -dport 22 -j ACCEPT 
iptables -A INPUT -i $IF_EXT -p tcp -dport 22 -j ACCEPT 
# Allow tinyproxy to communicate with www as it runs as  nobody 
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT 
# Redirecting everything outgoing to 80, to the content filter / transparent proxy 
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports $PROXY_PORT

I have some questions on what I found around the web (i’m too noob on iptables):
What means masquerading this way? (does output on LAN needs masq???)
Using a proxy in this transparent way for 80 traffic, will avoid using masquerading for all kind of traffic or i need to masquerade the subnet in postruting?

So anybody who wants to help, please correct this piece of bad code.
Thankyou all!

How will the 192.168.10.0/24 subnet talk to the 192.168.1.1 interface?

You may want to change the firewall interface to 10.1 or change the subnet or something…..

If you change the subnet things should talk.

/math follows
192.168.10.0/24 yeilds
=> 1100 0000 1010 1000 0000 1010 0000 0000 IP Address 192.168.10.0
=> 1111 1111 1111 1111 1111 1111 0000 0000 IP Net Mask 255.255.255.0 or /24
=> 1100 0000 1010 1000 0000 0001 0000 0001 IP Address 192.168.1.1

As you can see from the math they are not on the same IP subnet and so can’t talk to each other, OF course I am assuming a normal netmask from the CIDR notation.
/nomath
-jeff